689919 – Build NSS without any softoken or util sources present in the tree

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 689919 - Build NSS without any softoken or util sources present in the tree

Summary: Build NSS without any softoken or util sources present in the tree

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	nss
Sub Component:
Version:	6.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	medium
Target Milestone:	beta
Target Release:	6.6
Assignee:	Elio Maldonado Batiz
QA Contact:	Hubert Kario
Docs Contact:
URL:
Whiteboard:
Depends On:	689918 806588
Blocks:	693779
TreeView+	depends on / blocked

Reported:	2011-03-22 19:31 UTC by Elio Maldonado Batiz
Modified:	2014-10-14 05:02 UTC (History)
CC List:	10 users (show)
Fixed In Version:	nss-3.16.1-5.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:	689918
Environment:
Last Closed:	2014-10-14 05:02:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
spec file changes to build without freebl/softoken/util sources in the tree (12.12 KB, patch) 2011-08-29 23:49 UTC, Elio Maldonado Batiz	rrelyea: review+	Details \| Diff
patch sources, config, manifest and makefiles (11.75 KB, patch) 2011-08-30 00:00 UTC, Elio Maldonado Batiz	rrelyea: review+	Details \| Diff
change way we build pem module so it prefers system libraries (2.87 KB, patch) 2011-08-30 00:03 UTC, Elio Maldonado Batiz	rrelyea: review-	Details \| Diff
Add missing defines that ssl needs (1.23 KB, patch) 2011-08-30 00:06 UTC, Elio Maldonado Batiz	rrelyea: review+	Details \| Diff
Skip the magling error test (871 bytes, patch) 2011-08-30 00:10 UTC, Elio Maldonado Batiz	rrelyea: review+	Details \| Diff
deals with using older version of nss-softokn (2.60 KB, patch) 2014-04-21 15:45 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
specfile changes to build without softoken - in patch format (10.41 KB, patch) 2014-04-21 15:48 UTC, Elio Maldonado Batiz	no flags	Details \| Diff
Additional spec changes to truly build with softoken etc. removed (1.97 KB, patch) 2014-06-10 15:52 UTC, Elio Maldonado Batiz	rrelyea: review+	Details \| Diff
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Mozilla Foundation	172051	P2	RESOLVED	Add localizable error messages for NSS error codes	2020-03-06 13:23:45 UTC
Mozilla Foundation	681382	--	RESOLVED	Remove from fipstest dependencies on higher layers of nss	2020-03-06 13:23:45 UTC
Mozilla Foundation	682885	--	RESOLVED	Move EC point compression options macros to a public header	2020-03-06 13:23:45 UTC
Mozilla Foundation	753116	P1	RESOLVED	softoken needs to split out common components to util	2020-03-06 13:23:45 UTC
Mozilla Foundation	835919	P2	RESOLVED	Allow optionally building nss without softoken in the tree	2020-03-06 13:23:45 UTC
Red Hat Product Errata	RHBA-2014:1378	normal	SHIPPED_LIVE	nss bugfix and enhancement update	2014-10-14 01:06:09 UTC

Description Elio Maldonado Batiz 2011-03-22 19:31:26 UTC

+++ This bug was initially created as a clone of Bug #689918 +++

Description of problem: 
The split of softoken and utils from nss as their own package done on nss-3.12.4 for fedora 12 is incomplete. We still need to carry around the entire sources. See https://bugzilla.redhat.com/show_bug.cgi?id=508479#c16

We compile everything and at when making the rpm then remove the pieces that have already been shipped by nss-softokn and nss-util. nss should be able to build and meet its build dependencies on lower layers from the softokn/util libraries and headers already installed in the build system. This is not currently possible due to some unwanted dependencies of higher level code in nss on private headers of softokn and freebl.

Version-Release number of selected component (if applicable): nss-3.12.9

How reproducible: Always

Steps to Reproduce:
1. Create an nss source tar ball with the softokn/freebl/util sources removed
2. Try to compile nss.
An experimental script can that does such removal is available.
  
Actual results:
It deosn't compile due to sevral missing headers

Expected results:
It builds.

Additional info:

Comment 2 Bob Relyea 2011-03-22 20:29:34 UTC

release flag should be set to 6.2.0

Comment 5 Elio Maldonado Batiz 2011-08-12 23:47:13 UTC

Copying here what I reported in https://bugzilla.redhat.com/show_bug.cgi?id=689918

Results of an attempt to build nss without softoken or util sources in the tree aren't promissing. Several higher-level libraries and test tools need access to module-private headers from util, freebl, and softoken in order to compile.
 
libraries:
 1. lib/pk11wrap and sysinit use softoken's pkcs11 parser "header"
  NOTE: There are request to move the parser to utils but this will be at best in a future release of nss

 2. lib/pk11warap/dev3hack.c includes pk11init.h
 3. lib/pk11wrap/pk11akey.c uses pk11init.h
 4. lib/pk11wrap/pk11util.c uses pk11init.h
 5. lib/cryptohi/seckey.c uses ec.h
 6. lib/ssl3/ssl3ecc.c uses ec.h
 7. lib/ckfw/pem/anchor.c uses softoken.h
 NOTE: For 5/6/7 We may be able to export ec.h as a public headers

 8. lib/ckfw/pem/ckpem.h uses lowkeyti.h via softoknt.h:
 9. lib/nssysinit.c includes pk11pars.h and so needs pk11init.h
 NOTE: Even if we move pk11pars.h to util we still have the
 problem of accessing pk11init.h which is at a higher level

 10. lib/base/arena.c indirectly includes nssilock.h from util
     and nssilock.h in turn includes utilrename.h and nssilckt.h
 11. lib/nss/utilwrap.c includes templates.c from util
 NOTE: That's a bit problematic, it's code not an exporatble header
 I did a bit of a hack

tools ---
 12. cmd/pk11util/pk11util.c uses pk11init.h
 13. cmd/bltest/blapitest.c needs secrng (build it with nss-ssoftokn?)
 NOTE: 
       blapitest should defintely be built as part of nss-softoken
       and I pan to do that but for a 3.13.x release.
       I will enter a bug upstream to that efect. We now have
       Mozilla bug 172051 approved which enables this as
       blapi test will no longer depend on higher level nss.
       
 14. cmd/fipstest/blapitest.c needs ec.h, lowkeyi.h, lowkeyti.h, softoken.h
 NOTE: Like in item 13 blapitest will be build with nss-softokn
 already doing this in Fedora but not in a clean manner.
 One big problem is the fact that NSS supports at runtime 
 configuring ssl in a bypass mode. Bypass means that ssl/tls 
 can be configured to bypass the pkcs11 layert and call freebl 
 directly. This shoudl also be configured at build time. 
 This a major piece of work to be conducted upstream.

 15. cmd/rsaperf/rsaperf.c lowkeyi.h

We may be able to move ec.h, moving other headers more problematic.
NSS has the concepr of private exports. These are headers we don't
export but are visible from other modules of nss. This no longer works
when we have separete packages.

Below is a hack I deid in the spec file in order to compile as muck as I could and be able to discover all the unwelcome dependencies I listed above.

As part of the %prep section
# Begin Coping hack -----------------------------------------
cp ./mozilla/security/nss/lib/softoken/pk11pars.h ./mozilla/security/nss/lib/pk11wrap/
cp ./mozilla/security/nss/lib/softoken/pk11pars.h ./mozilla/security/nss/lib/sysinit/
cp ./mozilla/security/nss/lib/softoken/pk11init.h ./mozilla/security/nss/lib/pk11wrap/
cp ./mozilla/security/nss/lib/freebl/ec.h ./mozilla/security/nss/lib/pk11wrap/
cp ./mozilla/security/nss/lib/softoken/pkcs11ni.h ./mozilla/security/nss/lib/pk11wrap/
cp ./mozilla/security/nss/lib/softoken/pkcs11ni.h ./mozilla/security/nss/lib/pk11wrap/
cp ./mozilla/security/nss/lib/freebl/ec.h ./mozilla/security/nss/lib/cryptohi/
cp ./mozilla/security/nss/lib/freebl/ec.h ./mozilla/security/nss/lib/ssl/
cp ./mozilla/security/nss/lib/softoken/softoken.h ./mozilla/security/nss/lib/ckfw/pem/
cp ./mozilla/security/nss/lib/softoken/lowkeyti.h ./mozilla/security/nss/lib/ckfw/pem/
cp ./mozilla/security/nss/lib/softoken/softoknt.h ./mozilla/security/nss/lib/ckfw/pem/
cp ./mozilla/security/nss/lib/softoken/pk11init.h ./mozilla/security/nss/lib/sysinit/
cp ./mozilla/security/nss/lib/util/nssilock.h ./mozilla/security/nss/lib/base
cp ./mozilla/security/nss/lib/util/utilrename.h ./mozilla/security/nss/lib/base
cp ./mozilla/security/nss/lib/util/nssilckt.h ./mozilla/security/nss/lib/base

# remove the #include "templates.c" at the end and append it's contents instead
find . -name utilwrap.c
sed -e 's/#include "templates.c"//' ./mozilla/security/nss/lib/nss/utilwrap.c > tmp
mv tmp ./mozilla/security/nss/lib/nss/utilwrap.c
find . -name utilwrap.c
cat ./mozilla/security/nss/lib/util/templates.c >> ./mozilla/security/nss/lib/nss/utilwrap.c
# Hope no one minds that bit of on-the-fly code modification

# -- tools:
cp ./mozilla/security/nss/lib/freebl/secrng.h ./mozilla/security/nss/cmd/bltest/

# remove subdirectories that we don't want
rm -rf ./mozilla/security/nss/lib/util
rm -rf ./mozilla/security/nss/lib/freebl
rm -rf ./mozilla/security/nss/lib/softoken

# remove blapitest because it relies on an unexported function
# blapitest will be part of nss-softokn anyway
rm -rf ./mozilla/security/nss/cmd/bltest
# End Coping hack -----------------------------------------

As stated, this was to create the problem list and it's not something that I would be doing in the spec file. 

As a long term goal it may nice to be bale to build just the the higher levels of nss and not recompile what we have already shipped in nss-softokn and nss-util but given the current state attempting to do by doind violence to the build system is not wise in my opnion and less statisfactory than what we are currently doing. I recommend not "fixing" this for RHEL 6.2.

Comment 7 Elio Maldonado Batiz 2011-08-24 18:56:01 UTC

To clarify on the need info. In order to get nss (the rest of nss) to compile I am forced to copy a bunch of files and I certainly don't want to do this. Is there a somwewhat cleaner way to accomplish it given the current state of the sources?

Comment 8 Bob Relyea 2011-08-24 19:11:11 UTC

We really have a couple of options here, and each file is different. For each header ask:

1) is it really needed in the given context? If not remove the include.
2) is the needed symbol in the wrong header file?
    For instance anchor.h and ckpem.h including softoken.h, what symbol do the really need, and should that symbol be included in some already exported file (possibly in util).
3) is the header file itself in the wrong module (pk11pars.h comes to mind).
    I think glenn was a little to agressive in moving files when he should have just moved symbols. secmodt.h, for instance, should never have been moved to softoken.
4) should the header itself actually be exported. ec.h is a likely candidate.

We should feel free to move symbols, and files if we need to, with the caviat that we can't really tweak with softoken that much. What we should do is build a version of what we *would* want if we could change softoken. That should be pushed upstream so it's picked up in RHEL 7. RHEL 5 is already hosed, so it's ok to keep whatever hacks we have there. For RHEL 6, we should feel free to 'copy' a file out of softoken rather than 'move' it. The tricky part comes if we 'copy' a symbol and wind up with conflicts with softoken's copy that we can't change. I suggest we resolve those after we build 'nirvana'.

bob

Comment 9 Elio Maldonado Batiz 2011-08-29 23:49:44 UTC

Created attachment 520484 [details]
spec file changes to build without freebl/softoken/util sources in the tree

Comment 10 Elio Maldonado Batiz 2011-08-30 00:00:10 UTC

Created attachment 520485 [details]
patch sources, config, manifest and makefiles

The changes are for RHEL 6 building only not to be submitted upstream. Maybe some.

The section with Index: ./mozilla/security/nss/lib/softoken/softokn.def
with the  NSS_3.12.10 { # NSS 3.12.10 release" was experimental and forgot to remove it. In blapitest.c I had #idef out the call to sftk_fipsPowerUpSelfTest
because this is not a public call and I doubt we would make it public. On teh other hand when I build blapitest as part of the nss-softoken build there is no problem. I'm doing that in Fedora but with some hacks. Once we update to 3.13 we will do it cleanly. And be able to comp[ile fipstest.c as well.

Comment 11 Elio Maldonado Batiz 2011-08-30 00:03:52 UTC

Created attachment 520486 [details]
change way we build pem module so it  prefers system libraries

Comment 12 Elio Maldonado Batiz 2011-08-30 00:06:56 UTC

Created attachment 520488 [details]
Add missing defines that ssl needs

This is because we are at nss-softokn 3.12.9 and ssl needs them. blapit.h since 3.12.10 has them.

Comment 13 Elio Maldonado Batiz 2011-08-30 00:10:44 UTC

Created attachment 520489 [details]
Skip the magling error test

We can't run this particular error test because there is no softokn3.so in mozilla/dist/Linux..../lib directory for the too to mangle.

Comment 14 Elio Maldonado Batiz 2011-08-30 00:16:11 UTC

Comment on attachment 520484 [details]
spec file changes to build without freebl/softoken/util sources in the tree

With this changes and the patches I was able to do a brew scratch build. I had to disable of a couple of tests as mention elsewhere.
Filed some upstream bugs. May do more as I understand dependencies better.

Comment 15 Bob Relyea 2011-08-30 00:34:58 UTC

Comment on attachment 520488 [details]
Add missing defines that ssl needs

r+ rrelyea

Though it may be better to add these to a private header file is ssl.h..

Comment 16 Bob Relyea 2011-08-30 00:36:07 UTC

Comment on attachment 520489 [details]
Skip the magling error test

r+, though I'd like to see you getting a copy of the real softoken and try mangling it to make sure integrity is still working.

Comment 17 Bob Relyea 2011-08-30 00:41:01 UTC

Comment on attachment 520485 [details]
patch sources, config, manifest and makefiles

r+,

1. though you should probably put the coreconf changes under ifdef so we can push it upstream.

2. We aren't going to export the private symbols in softoken. blapi statically links with softoken.. Perhaps we should move blapi-test to nss-softoken in the future?

Comment 18 Bob Relyea 2011-08-30 00:42:57 UTC

Comment on attachment 520484 [details]
spec file changes to build without freebl/softoken/util sources in the tree

r+ for now, but we aren't complete until we straighten out the header file situation.

Comment 19 Elio Maldonado Batiz 2011-09-08 23:33:31 UTC

(In reply to comment #16)
I was able to copy the system token into the dist via the spec file but that caused the fips test to fail I tried it via fips.sh copying into the mangling directory and had the same fips test failures.

Comment 20 Elio Maldonado Batiz 2011-09-08 23:40:05 UTC

Misstyped: s/system token/softoken.so/

Comment 21 Elio Maldonado Batiz 2011-09-08 23:46:45 UTC

Also, in Rawhide I am able to run the cipher suite (blapitest) as part of nss-softoken build itslef. I had to do some modidifications to blapitest and create a set of the libsectool.a that only depends on softoken and below. I use for testing and don't istall it in the system and is a temprary workaround. Yes, it's a bit hackish and can't bring it into rhel 6 for nss-softoken, certainly not at this stage. The changes in nss 3.13 will make things a lot easier.

Comment 23 RHEL Program Management 2011-10-07 16:01:12 UTC

Since RHEL 6.2 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 24 John Jarvis 2011-11-09 16:03:14 UTC

Reflagging for review for RHEL 6.3 inclusion.

Comment 25 Elio Maldonado Batiz 2012-01-12 16:08:11 UTC

Since the revised patches rely on nss 3.13.x, and we haven't yet updated to it, let us continue the review on Bug 689918 for the time being. I have submitted revised and additional patches there for review.

Comment 26 Elio Maldonado Batiz 2012-02-14 19:33:52 UTC

From the review comments on Bug 689918 a lot of work is required to complete this task. Considering also the more pressing tasks that both the reviewer and the submitter have ahead them it is not realistic goal for rhel-6.3. We could change Target Release to rhel-6.4 at the earliest.

Comment 27 Elio Maldonado Batiz 2012-02-14 19:40:33 UTC

(In reply to comment #26)
Replace could with should. Clearing all flags and setting on rhel-6.4?.

Comment 28 Bob Relyea 2012-05-04 17:13:44 UTC

Comment on attachment 520486 [details]
change way we build pem module so it  prefers system libraries

r- everything looks correct except the addition of the -lsoftokn in the last file.

bob

Comment 34 Elio Maldonado Batiz 2014-04-21 15:45:20 UTC

Created attachment 888122 [details]
deals with using older version of nss-softokn

This a local patch until update nss-softokn. It's a modified version of the one we applied on rhel-5.

Comment 35 Elio Maldonado Batiz 2014-04-21 15:48:51 UTC

Created attachment 888123 [details]
specfile changes to build without softoken - in patch format

Comment 38 Elio Maldonado Batiz 2014-06-10 15:52:18 UTC

Created attachment 907311 [details]
Additional spec changes to truly build with softoken etc. removed

There were two mistakes which I found by examining intermediate steps.  In the %build section we have
-##### phase 1: remove util/freebl/softoken and low level tools
-######## Remove freebl, softoken and util
-%{__rm} -rf ./mozilla/securitynss/lib/freebl
....
and for the tools

The mozilla/security/ part in the patch is incorrect as we have now a shallower sorce tree. I corrcted this and rechecked and it wan't enough. Did an rhpkg %prep and then ls nss-3.16.1/nss/lib which showed util, freebl, and softoken still there and with ls nss-3.16.1/nss/cmd bltest, bltest, and rsaperf_low were still there. Removal must be done in the %prep phase as the very last set of actions after some copying of files have been done. That's why we have prepping phase after all. These changes accomplish that and the directories are indeed removed as we want.

Comment 39 Bob Relyea 2014-06-10 21:34:50 UTC

Comment on attachment 907311 [details]
Additional spec changes to truly build with softoken etc. removed

r+

Comment 41 errata-xmlrpc 2014-10-14 05:02:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1378.html

Note You need to log in before you can comment on or make changes to this bug.